Source image is not created for trusted boot but it is turned on the VM.

Brass Contributor



New to Bicep and learning it by deploying a mini environment in my lab. I am using the same code base as defined here: but I have made some alterations to it as I am trying to create a gen2 Trusted Launch VM to be used instead of a standard SecurityType defined in this blog. 

  1. I create my initial image version of Windows 11 using Securitytype trusted launch. This was just a standard Microsoft gallery image, which I then sysprep and generalise. That all seem to well and my base image has the security Type that I want. Defined in my BICEP file under
resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  // Security profile properties...
  securityProfile: {
    uefiSettings: {
      secureBootEnabled: true
      vTpmEnabled: true
    securityType: 'TrustedLaunch'
  diagnosticsProfile: {
    bootDiagnostics: {
      enabled: true

When I come to run the main.bicep file alongside the parameters which then pulls the various modules depending on where it is in the build it goes through the process of deploying the gallery image but fails with the error:


The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure, Target: /subscriptions/<mysubscriptionID>/resourceGroups/uks-rb81-vdi-avd-hpl-priv-001-01/providers/Microsoft.Compute/galleries/uksbldglbssvgal01/images/uks-img-Windows-desktop-11-gen2-22h2-priv-tl-001/versions/2023.09.26) The source 'subscriptions/<mysubscriptionID>/resourceGroups/rg-Win11-template/providers/Microsoft.Compute/virtualMachines/i4xsd3rrtnobm-vm' has security type 'TrustedLaunch' and cannot be used as a source for an image definition with SecurityType feature set to 'None'. (Code: Conflict)


I am really confused where I need to set this, I thought it would be under the bicep file deploy-shared-image-gallery.bicep but then when I declare the params and resource as 


//Create VM with Security type
resource virtualMachine 'Microsoft.Compute/virtualMachines@2023-07-01' = {
  name: imageDefinitionName
  location: location
  securityType: 'TrustedLaunch'
It just says The property "securityType" is not allowed on objects of type "Microsoft.Compute/virtualMachines". Permissible properties include "asserts", "dependsOn", "extendedLocation", "identity", "plan", "properties", "tags", "zones". If this is an inaccuracy in the documentation, please report it to the Bicep Team.
Could it be an expression that I need to define:? Param and var value?
Any help on this would be most appreciated.

1 Reply
best response confirmed by isotonic_uk (Brass Contributor)


Thought I would add, managed to resolve in the end. I needed to add features into the deploy-shared-image-gallery.bicep file

features: [
name: 'SecurityType'
value: 'TrustedLaunch'

at the point when it creates the resource galleryDefinition after it declares the hyperVGeneration. What I found is its not well documented at the moment.